The U.S. Department of Health and Human Services (HHS) has used its authority to waive certain provisions of HIPAA in response to Hurricane Harvey.  HHS previously declared a public health emergency in Texas and Louisiana related to the hurricane and its aftermath.  

Under the waiver, HHS waives sanctions against covered hospitals that do not comply with HIPAA requirements to distribute a notice of privacy practices; obtain a patient’s agreement in order to speak with family and friends; and honor a request to opt-out of a facility directory.  HHS also waived sanctions against covered hospitals that do not comply with a patient’s right to request privacy restrictions or confidential communications.

The waiver only applies to the emergency area, for the period identified in the declaration of public health emergency.  The waiver is limited to hospitals that have instituted a disaster protocol, and applies for a period of up to 72 hours from the time the protocol is implemented or, if shorter, the time when the state of emergency is lifted.

This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.